Intrusion detection systems (IDS) can play a significant role in detecting security threats or malicious attacks that aim to steal information and/or corrupt network protocols. To deal with the dynamic and complex nature of cyber-attacks, advanced intelligent tools have been applied resulting into powerful and automated IDS that rely on the latest advances of machine learning (ML) and deep learning (DL). Most of the reported effort has been devoted on building complex ML/DL architectures adopting a brute force approach towards the maximization of their detection capacity. However, just a limited number of studies have focused on the identification or extraction of user-friendly risk indicators that could be easily used by security experts. Many papers have explored various dimensionality reduction algorithms, however a large number of selected features is still required to detect the attacks successfully, which humans cannot intuitively or immediately understand. To enhance user’s trust and understanding on data without sacrificing on accuracy, this paper contributes to the transformation of the available data collected by IDS into a single actionable and easy-to-understand risk indicator. To achieve this, a novel feature extraction pipeline was implemented consisting of the following components: (i) a fuzzy allocation scheme that transforms raw data to fuzzy class memberships, (ii) a novel modality transformation mechanism for converting feature vectors to images (Vec2im) and (iii) a dimensionality reduction module that makes use of Siamese convolutional neural networks that finally reduces the input data dimensionality into a 1-d feature space. The performance of the proposed methodology was validated with respect to detection accuracy, dimensionality reduction performance and execution time on the NSL-KDD dataset via a thorough comparative analysis that demonstrated its effectiveness (86.64% testing accuracy using only one feature) over a number of well-known feature selection (FS) and extraction techniques. The output of the proposed feature extraction pipeline could be potentially used by security experts as an indicator of malicious activity, whereas the generated images could be further utilized and/or integrated as a visual analytics tool in existing IDS.

中文翻译：

---

一种使用 Siamese 卷积神经网络进行入侵检测的新特征提取方法

入侵检测系统 (IDS) 可以在检测旨在窃取信息和/或破坏网络协议的安全威胁或恶意攻击方面发挥重要作用。为了应对网络攻击的动态和复杂性，先进的智能工具已被应用到强大的自动化 IDS 中，这些 IDS 依赖于机器学习 (ML) 和深度学习 (DL) 的最新进展。大多数报道的工作都致力于构建复杂的 ML/DL 架构，采用蛮力方法来最大化其检测能力。然而，只有少数研究侧重于识别或提取安全专家可以轻松使用的用户友好的风险指标。许多论文探索了各种降维算法，然而，成功检测攻击仍然需要大量选定的特征，人类无法直观或立即理解。为了在不牺牲准确性的情况下增强用户对数据的信任和理解，本文有助于将 IDS 收集的可用数据转换为单个可操作且易于理解的风险指标。为了实现这一点，实现了一种新的特征提取管道，由以下组件组成：（i）将原始数据转换为模糊类成员的模糊分配方案，（ii）将特征向量转换为图像的新模态转换机制（Vec2im） (iii) 一个降维模块，它利用 Siamese 卷积神经网络，最终将输入数据降维到一维特征空间。通过彻底的比较分析，在 NSL-KDD 数据集上验证了所提出方法的性能（在 NSL-KDD 数据集上的检测精度、降维性能和执行时间），该分析证明了其在许多井中的有效性（仅使用一个特征的测试精度为 86.64%） - 已知的特征选择（FS）和提取技术。建议的特征提取管道的输出可能被安全专家用作恶意活动的指标，而生成的图像可以进一步利用和/或集成为现有 IDS 中的可视化分析工具。通过彻底的比较分析证明了 NSL-KDD 数据集的降维性能和执行时间，该分析证明了它在许多众所周知的特征选择 (FS) 和提取技术上的有效性（仅使用一个特征的测试准确率为 86.64%）。建议的特征提取管道的输出可能被安全专家用作恶意活动的指标，而生成的图像可以进一步利用和/或集成为现有 IDS 中的可视化分析工具。通过彻底的比较分析证明了 NSL-KDD 数据集上的降维性能和执行时间，该分析证明了其在许多众所周知的特征选择 (FS) 和提取技术上的有效性（仅使用一个特征的测试准确率为 86.64%）。建议的特征提取管道的输出可能被安全专家用作恶意活动的指标，而生成的图像可以进一步利用和/或集成为现有 IDS 中的可视化分析工具。